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Abstract 

Oblivious transfer is the cryptographic primitive where Alice sends one of two bits to Bob 
but is oblivious to the bit received. Using quantum communication, we can build oblivious 
transfer protocols with security provably better than any protocol built using classical commu- 
nication. However, with imperfect apparatus one needs to consider other attacks. In this paper 
we present an oblivious transfer protocol which is impervious to lost messages. 

1 Introduction 

Quantum information allows us to perform certain cryptographic tasks which are impossible us- 
ing classical information alone. In 1984, Bennett and Brassard gave a quantum key distribution 
scheme which is unconditionally secure against an eavesdropper IMayOl ILC99llPS00| . This led 



to many new problems including finding quantum protocols for other cryptographic primitives 
such as coin-flipping and oblivious transfer. 

Coin-flipping is the cryptographic primitive where Alice and Bob generate a random bit over a 
communication channel. We discuss two kinds of coin-flipping protocols, weak coin-flipping where 
Alice wants outcome and Bob wants outcome 1, and strong coin-flipping where there are no 
assumptions on desired outcomes. We define weak coin-flipping below. 

Definition 1.1 (Weak coin-flipping (WCF)). A weak coin-flipping protocol, denoted WCF, with 
cheating probabilities (AwcF/Bwcf) and bias £wcf is a protocol with no inputs and output c £ {0,1} 
satisfying: 

• if Alice and Bob are honest, they output the same randomly generated bit c; 

• ^wcf is the maximum probability dishonest Alice can force honest Bob to accept the outcome c = 0; 

• Swcf is the maximum probability dishonest Bob can force honest Alice to accept the outcome c = 1; 

• £wcf := max{A WCF ,B WCF } - 1/2. 

The idea is to design protocols which protect honest parties from cheating parties and there 
are no security guarantees when both parties are dishonest. We can assume neither party aborts 
in a WCF protocol. If, for instance, Alice detects Bob has cheated then she may declare herself the 
winner, i.e., the outcome is c = 0. This is not the case in strong coin-flipping since there is no sense 
of "winning." 
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Definition 1.2 (Strong coin-flipping (SCF)). A strong coin-flipping protocol, denoted SCF, with, 
cheating probabilities ( AgcF/ £>scf) an< ^ ^ as £ scf is a protocol with no inputs and output c G { 0, 1, abort } 
satisfying: 

• if Alice and Bob are honest, then they never abort and they output the same randomly generated bit 
cG {0,1}; 

• ^scf is the maximum probability dishonest Alice can force honest Bob to accept some outcome c = a, 
over both choices ofaE {0, 1}; 

• BgcF is the maximum probability dishonest Bob can force honest Alice to accept some outcome c = b, 
over both choices ofb G {0, 1}; 

• £ S cf := max{A SCF , B SCF } - 1/2. 

We note here that SCF protocols can be used as WCF protocols. The only issue is if the outcome 
is "abort". In this case, the party who detected the cheating announces themselves the winner. 
Doing this, the bias in the WCF protocol is the same as in the SCF protocol. 

Aharonov, Ta-Shma, Vazirani, and Yao MATVY00B first showed the existence of an SCF protocol 
with bias £scf < 1 / 2 followed shortly by Ambainis IIAmbOll who showed an SCF protocol with 



bias £scf = 1/4. As for lower bounds, Mayers | May97 1, Lo, and Chau IILC97II showed that bias 



£ scf = is impossible. Kitaev |Kit03) , and later Gutoski and Watrous IIGW07L extended this result 
to show that the bias of any SCF protocol satisfies £scf > 1 / —1/2. This bound was proven 
to be tight by Chailloux and Kerenidis BCK09M who showed the existence of protocols with bias 
e SC F < 1/V2- 1/2 + <5 for any 5 > 0. 

As for WCF protocols, it was shown that the bias could be less than Kitaev's bound. For 
example, the protocols in IISR021 IKN041 IMoc05l provide biases of £wcf = 1/V2-1/2, £WCF — 
0.239, and £wcf = 1/6, respectively. The best known lower bound for WCF is by Ambainis 
BAmb01| who showed that a protocol with bias £wcf must use Q(loglog(l/ewcF)) rounds of 
communication. Then, in a breakthrough result, Mochon RMoc07B showed the existence of WCF 
protocols with bias £wcf < $ for any 5 > 0. 

Oblivious transfer is the cryptographic primitive where Alice sends to Bob one of two bits but 
is oblivious to the bit received. We define oblivious transfer and its notions of cheating below. 

Definition 1.3 (Oblivious transfer (OT)). An oblivious transfer protocol, denoted OT, with cheating 
probabilities (Aqt, Sot) an d bias £ot is a protocol with inputs satisfying: 

• Alice inputs two bits (xq, X\) and Bob inputs an index b G {0, 1}; 

• when Alice and Bob are honest they never abort, Bob learns x\, perfectly, Bob gets no information 
about Xfy and Alice gets no information about b; 

• Aqt is the maximum probability dishonest Alice can learn b without Bob aborting the protocol; 

• Bqt is the maximum probability dishonest Bob can learn xq © x\ without Alice aborting the protocol; 

• £ OT = max{A T,BoT} - 1/2. 

When a party cheats, we only refer to the probability which they can learn the desired values 
without the other party aborting. For example, when Bob cheats, we do not require that he learns 
either bit with probability 1. 
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In the OT definition above there can be different ways to interpret the bias. For example, we 
could consider worst-case choices over inputs, we could assume the inputs are chosen randomly, 
etc. The protocol construction given in this paper is independent of how the inputs are chosen so 
this is not an issue. 

Like weak coin-flipping, oblivious transfer has a related primitive which is useful for the anal- 
ysis in this paper. 

Definition 1.4 (Randomized oblivious transfer (Random-OT)). A randomized oblivious transfer 
protocol, denoted Random-OT, with cheating probabilities (Arqt, Brot) an d bias £rqt is a protocol with 
no inputs satisfying: 

• Alice outputs two randomly generated bits (xq, x\) and Bob outputs two bits (b, x&) where b 6 {0, 1} 
is independently, randomly generated; 



when Alice and Bob are honest they never abort, Bob gets no information about x%, and Alice gets no 
information about b; 

• ^rot zs ^e maximum probability dishonest Alice can learn b without Bob aborting the protocol; 

• Brot is the maximum probability dishonest Bob can learn xq © x\ without Alice aborting the protocol; 

• £rot = max{ Arqt, Brot} - 1/2. 

We note here that a protocol is considered fair if the cheating probabilities for Alice and Bob 
are equal and unfair otherwise. 

OT is an interesting primitive since it can be used to construct secure two-party protocols 
1IEGL82H . HCre87H , IRab81l . It was shown by Lo jLo97] that £ OT = is impossible. This result 
was improved by Chailloux, Kerenidis, and Sikora HCKS10H who showed that every OT protocol 
satisfies £ot > 0.0586. 

Various settings for oblivious transfer have been studied before such as the bounded-storage 
model HDFSS08H and the noisy-storage model |SchlOL In this paper, we study only information 
theoretic security but we allow the possibility of lost messages (more on this below). Oblivious 
transfer has a rich history, has various definitions, and has many names such as the set membership 



problem [JRS02| or private database Querying | JSG + 10 [. 



A loss-tolerant protocol is a quantum cryptographic protocol which is impervious to lost mes- 
sages. That is, neither Alice nor Bob can cheat more by declaring that a message was lost (even 
if it was received) or by sending blank messages deliberately. We prefix a protocol with "LT-" to 
indicate that it is loss-tolerant. 

The idea of loss-tolerance was first applied to strong coin-flipping by Berlin, Brassard, Bussieres, 
and Godbout in [BBBG08J. They showed a vulnerability in the best known coin-flipping protocol 
construction by Ambainis MAmbOll . They circumvented this problem and presented an LT-SCF 
protocol with bias £scf = 0.4. Aharon, Massar, and Silman generalized this protocol to a family of 
LT-SCF protocols with bias slightly smaller at the cost of using more qubits in the communication 
IAMS10L Chailloux added an encryption step to the protocol in [BBBG08J to improve the bias 
to £scf = 0-359 BChalOll . The best known protocol for LT-SCF is by Ma, Guo, Yang, Li, and Wen 
1 MGY+11I who use an EPR-based protocol which attains a bias of e$c¥ = 0.3536. It remains an 



open problem to find the best possible biases for LT-WCF and LT-SCF. In fact, we do not even 
know if there is an LT-WCF protocol with bias less than the best possible bias for LT-SCF; they 
may in fact share the same smallest possible bias. 

The first approach to designing loss-tolerant oblivious transfer protocols was by Jakobi, Simon, 



Gisin, Bancal, Branciard, Walenta, and Zbinden [JSG + 10|. They designed a loss-tolerant protocol 
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for private database querying which is also known as "1-out-of-N oblivious transfer." The pro- 
tocol is not technically an oblivious transfer protocol (using the definition in this paper) since an 
honest Bob may receive too much information. However, it is practical in the sense that it is se- 
cure against the most evident attacks. The backbone of their protocol is the use of a quantum key 
distribution scheme. This differs from the loss-tolerant protocol in this paper which is based on 
weak coin-flipping. 

The results of this paper 

We first present a protocol in Section [2] and prove it is not loss-tolerant. Then, in Section [3l we 
show how to build LT-OT protocols from LT-WCF and LT-Random-OT protocols. Namely, we 
prove the following theorem. 

Theorem 1.5. Suppose there exists an LT-WCF protocol with cheating probabilities (Awcf/ Bwcf) an d 
bias £wcf an d m LT-Random-OT protocol with cheating probabilities ( Arotv Brot) an d bias £rot- Then 
there exists an LT-OT protocol with cheating probabilities 

Aqj — A W cf I^rot _ BrotI + rnin{A R oT/ £>rot}/ 
£>ot = #wcf I^ROT — BrotI + min{A R OT/ Brot}- 

This protocol has bias 

£ ot < I^rot _ Brot| + min{AROT, Brot} — 1/2 = £rot- 

We have £qt < £rot when £wcf < 1/2 and Arqt ^ Brot- Furthermore, the OT protocol is fair when 
the LT-WCF protocol is fair. 

In Subsection 13.41 we show the existence of an unfair LT-Random-OT protocol with cheating 
probabilities (Arot/Brot) = (1/1/2). Combining this with the fact that there is a fair LT-WCF 
protocol with bias £wcf = 0.3536 lMGY + llH we get the following corollary. 



Corollary 1.6. There exists a fair LT-OT protocol with bias £ot = 0.4268. 

2 An example of a Random- OT protocol that is not loss-tolerant 

In this section, we examine a protocol for Random-OT and show it is not loss-tolerant. This pro- 
tocol has the same vulnerability as the best known coin-flipping protocol constructions based on 
bit-commitment, see [BBBG08J for details. 

Protocol 2.1 (A Random-OT protocol BCKS10D ). 

(i) Bob randomly chooses b G {0, 1} and sends Alice half of the two-qutrit state 

\<p h ) := -L \bb) + -L |22) . 

(ii) Alice randomly chooses xq, x\ G {0, 1} and applies the following unitary to the qutrit 

|0) _►(_!)*> |o>, |2)-H2). 
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(iii) Alice returns the qutrit to Bob. Bob now has the two-qutrit state 

(-\Y b 1 
^-L- \bb) + — 22 . 

(iv) Bob performs the measurement {TIq := |</>£,) (<^,|, 111 := 1 — EIo} on the state. 

(v) If the outcome is TIq then Xj, = 0. If the outcome is Hi then x\, = 1. 

(vi) Any lost messages are declared and the protocol is restarted from the beginning. 

It has been shown in BCKS10M that Bob can learn xq © x\ with probability 1 and Alice can 
learn b with maximum probability 3/4. However, this does not take into account "lost-message 
strategies." We now show such a strategy and how Alice can learn b perfectly. Suppose Alice 
measures the first message in the computational basis. If she sees outcome "0" or "1" then she 
knows Bob's index b with certainty. If the outcome is "2" then she replies to Bob, "Sorry, your 
message was lost." Then they restart the protocol and Alice can measure again. Eventually, Alice 
will learn b perfectly proving this protocol is not loss-tolerant. 

This protocol illustrates another interesting point about the design of OT protocols. One may 
not be able to simply change the amplitudes in the starting states to balance the cheating proba- 
bilities. For example, if we were to change the amplitudes in \(py), then Bob would have a nonzero 
probability of getting the wrong value for Xy. Thus, balancing an unfair OT protocol is not as 
straightforward as it can be in coin-flipping. 

3 Constructing loss-tolerant oblivious transfer protocols 

In this section, we prove Theorem ll.5l by constructing an LT-OT protocol from an LT-WCF protocol 
and a (possibly unfair) LT-Random-OT protocol. In doing so, we have to overcome some issues 
that are not present when designing LT-SCF protocols. These issues include: 

• it is not always possible to simply reset a protocol with inputs; 

• balancing the cheating probabilities can be difficult; 

• it is not possible to switch the roles of Alice and Bob since Bob must be the receiver; 

• an honest party must not learn extra information about the other party's inputs (or outputs 
in the case of Random-OT). 

We deal with these issues by reducing the problem one step at a time. First we reduce the task 
of finding LT-OT protocols to finding LT-Random-OT protocols in Subsection 13. II Then we build 
an LT-Random-OT protocol from an LT-WCF protocol and two (possibly unfair) LT-Random-OT 
protocols in Subsection l3.2l In Subsection l3.3l we show how to create the two LT-Random-OT pro- 
tocols from a single LT-Random-OT protocol. Finally, we show an unfair LT-Random-OT protocol 
in Subsection [33] to prove Corollary II .61 



3.1 Equivalence between LT-OT protocols and LT-Random-OT protocols with re- 
spect to bias 

Having a protocol with inputs is an issue when building protocols loss-tolerantly. In recent LT-SCF 
protocols, if messages were lost for any reason, then the protocol is simply restarted at some point, 
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but this is not always an option with OT because the inputs could have context, e.g., Alice's bits 
could be database entries. For this reason, we cannot simply "reset" them and repeat the protocol. 
To remedy this issue, we use Random-OT. 

It is well known that OT and Random-OT share the same cheating probabilities, i.e., if there ex- 
ists an OT protocol with cheating probabilities ( Aqj, £>ot) = ( x , y) then there exists a Random-OT 
protocol with cheating probabilities (Arot/Brot) = (x,y), and vice versa. For completeness, we 
show these reductions and prove they preserve loss-tolerance. 

Protocol 3.1 (LT-Random-OT from LT-OT). 

(i) Alice randomly chooses xq, X\ G {0, 1} and Bob randomly chooses b G {0, 1}. 

(ii) Alice and Bob input the choices of bits above into the LT-OT protocol so that Bob learns Xy. 

(iii) Alice outputs (xq, X\) and Bob outputs (b, %\f). 

It is straightforward to see that this reduction preserves the loss-tolerance of the LT-OT proto- 
col since we are only restricting how the inputs are chosen. More interesting is the reduction from 
LT-Random-OT to LT-OT. 

Protocol 3.2 (LT-OT from LT-Random-OT). 

(i) Alice and Bob decide on their desired choices of inputs to the LT-OT protocol. 

(ii) Alice and Bob use an LT-Random-OT protocol to generate the output (xq, Xi) for Alice and {b, X]f) 
for Bob. 

(iii) Bob tells Alice if his output bit b is equal to his desired index. If it is not equal, Bob changes it and 
Alice sivitches her two bits. 

(iv) Alice tells Bob which of her two bits (xq, x\) are equal to her desired inputs. Alice and Bob flip their 
outcome bits accordingly. 

This reduction is a way to derandomize the outputs of the LT-Random-OT protocol. We see 
that this also preserves the loss-tolerance of the LT-Random-OT protocol since classical informa- 
tion can simply be resent if lost in transmission. 

Using the reductions above, we have reduced the task of finding LT-OT protocols to finding 
LT-Random-OT protocols. 

3.2 Creating LT-Random-OT protocols 

There is a simple construction of an SCF protocol with bias e ~ 3/4 and it proceeds as follows. 
Alice and Bob first use a WCF protocol with bias e ~ 0. The "winner" gets to flip a coin to 
determine the outcome of the SCF protocol. Of course, a dishonest player would like to "win" the 
WCF protocol since then they have total control of the SCF outcome. 

We mimic this idea to create a protocol prototype for LT-Random-OT and discuss why it does 
not work. 

Protocol 3.3 (A protocol prototype). 

(i) Alice randomly chooses tivo bits (xq, x\) and Bob randomly chooses an index b G {0, 1}. 

(ii) Alice and Bob perform an LT-WCF protocol with bias £wcf to create random c G {0, 1}. 
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(iii) Ifc = O r then Bob sends b to Alice. Alice then replies with xy. 

(iv) If c — 1, then Alice sends (xq, *i) to Bob. 

This protocol has bias £rot < 1/2 if £wcf < 1/2. However, the problem is that honest Alice 
learns b with probability 3/4 when Bob is honest. This is simply not allowed in a Random-OT 
protocol because honest Alice should never obtain any information about b. Honest Bob learns 
Xq © X\ with probability 3/4, which is also not allowed since he should only learn Xq or X\ . This 
illustrates another issue when designing OT and Random-OT protocols. 

To remedy this problem, instead of Alice and Bob revealing their bits entirely, they can use 
(possibly unfair) LT-Random-OT protocols. We present a modified version of the protocol below. 

Protocol 3.4 (An LT-Random-OT protocol). 

(i) Alice and Bob perform an LT-WCF protocol with cheating probabilities ( AwcF/ £>wcf) and bias £wcf 
to create random c G {0, 1}. 

(ii) lfc = 0, then Alice and Bob generate their outputs using an LT-Random-OT protocol with cheating 
probabilities (Arot/Brot) = { x >y)' where x > y. 

(iii) If c = 1, then Alice and Bob generate their outputs using an LT-Random-OT protocol with cheating 
probabilities (A rc ,t,Brot) = (]/,*)• 

(iv) Alice and Bob abort if and only if either LT-Random-OT protocol is aborted. 

We now prove that this LT-Random-OT protocol has cheating probabilities equal to those in 
Theorem ll.5l We show it for cheating Alice as the case for cheating Bob is almost identical. Since 
x > y, Alice would prefer the outcome of the WCF protocol to be c = 0. She can force c = with 
probability Awcf and in this case she can learn b with probability X. If c = 1, she can learn b with 
probability y. Letting A ROT be the amount she can learn b in the protocol above, we have 

A ROT = A W cf x + (1 - A W cf) y = A WCF (x - y) + y. 

All that remains to prove Theorem [L5] is to show that an LT-Random-OT protocol with cheat- 
ing probabilities (Arot, Brot) = implies the existence of an LT-Random-OT protocol with 
cheating probabilities (Arot, Brot) = for any oc,B G [1/2,1]. This way, we can just set 
x = max{a,/3} and y = min{a, B}. 

3.3 Symmetry in LT-Random-OT protocols 

Suppose we have an LT-Random-OT protocol with cheating probabilities (Arqt/ Brot) = ( a ' P)> 
for some ct,B G [1/2, 1]. We now show how to create an LT-Random-OT protocol with cheating 
probabilities (Arqt/ £>rot) = {&> a )- The trick is to switch the roles of Alice and Bob. 

Protocol 3.5 (A Random-OT protocol (randomized version of a protocol in IWW06D ). 

(i) Alice and Bob use an LT-Random-OT protocol with cheating probabilities (Arqt, £>rot) = 
except that Bob is the sender and Alice is the receiver. Let Alice's output be {b,X\,) and let Bob's 
output be (xq, xi). 

(ii) Alice randomly chooses d G {0, 1} and sends d® Xj, to Bob. 

(iii) Alice outputs (x' Q , x[) = (d, d © b) and Bob outputs (b',m) = (xq © X\,d® X\, © Xq). 
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(iv) Alice and Bob abort if and only if the LT-Random-OT protocol is aborted. 

Notice this protocol is loss-tolerant since classical messages can be resent if lost in transmission. 
We can write Bob's output m as d © acj, © Xo = d®bb' '. Thus, if V = then m = d = x' Q and if V = 1 
then m = d © b = x[. Therefore Bob gets the correct value for x' ¥ . Since x' Q © x[ = d® (d®b) = b, 
honest Bob gets no information about Alice's other bit and cheating Bob can learn x' © x[ with 
maximum probability oc. Since b' = x$ © X\, honest Alice gets no information about b' and cheating 
Alice can learn b' with maximum probability B. Therefore, (Arotv Brot) = (A as desired. Since 
b, xq, x\, and d are all randomly generated, so are x' , x' v and V making this a valid LT-Random-OT 
protocol. 

This completes the proof of Theorem ll.5l 
3.4 An unfair LT-Random-OT protocol 

We present here an LT-Random-OT protocol with cheating probabilities (Arqt, £>rot) = (1/2, 1). 
Note that even though this protocol has bias £rot = 1/2, it can be used to create a protocol with 
smaller bias using recent LT-WCF protocols and Theorem ll.5l 

Protocol 3.6 (An unfair LT-Random-OT protocol). 

(i) Bob randomly chooses an index b G {0, 1} and another random bit d G {0, 1}. 

(ii) Bob sends Alice the qubit H b \d). 

(iii) Alice randomly chooses xq, x\ G {0, 1} and applies the unitary X x °Z Xl to the qubit. 

(iv) Alice returns the qubit to Bob which is in the state X x °Z Xl H b \d) = H b \xy © d) (up to global phase). 

(v) Bob has a two-outcome measurement (depending on b and d) to learn x^ perfectly. 

(vi) If any messages are lost the protocol is restarted from the beginning. 

We see that this is a valid Random-OT protocol. Firstly, because honest Bob learns Xj, and gets 
no information about Xj (since H b |x& © d) does not involve Xg). Secondly, Alice cannot learn any 
information about b, even if she is dishonest, since the density matrices for b = and b — 1 are 
identical. Therefore Arot = 1/2. This protocol is loss-tolerant concerning cheating Alice since b 
and d are reset if any messages are lost so Alice cannot accumulate useful information. It is also 
loss-tolerant concerning cheating Bob since he can already learn both of Alice's bits perfectly. He 
can do this by first sending Alice half of 

|* +> = _l|oo> + -L|n>. 

Each choice of (xq, X\) corresponds to Bob having a different Bell state at the end of the protocol. 
From this, Xq and X\ can be perfectly inferred, yielding Brqt = 1- 

4 Conclusions and open questions 

We have designed a way to build LT-OT protocols by using an LT-WCF protocol to help balance 
the cheating probabilities in a (possibly unfair) LT-Random-OT protocol. This protocol uses well 
known reductions between OT and Random-OT and the reduction to switch the roles of Alice and 
Bob. 
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The construction in this paper is robust enough to design OT protocols with other definitions 
of cheating Bob. Suppose that Bob wishes to learn f(xo, X\) where / 7^ XOR is some functionality. 
In this case, we may not be able to switch the roles of Alice and Bob in a way that switches the 
cheating probabilities as in Subsection l3.3l However, instead of just using one LT-Random-OT pro- 
tocol and creating another from it, we could have just as easily used two different LT-Random-OT 
protocols (with a consistent notion of cheating Bob). 

A limitation of this protocol design is that is uses LT-Random-OT protocols as subroutines. 
Even if LT-WCF protocols with bias £wcf ~ ar e constructed, using the protocols in Subsection l3.4l 
can reduce the bias to only £ot ~ 1/4. It would be interesting to see if there exists an LT-OT 
protocol with cheating probabilities (Aqj, Bqt) = /3) where oc + /5 < 3/2. 

An open question is to show if using more LT-WCF subroutines can help improve the bias. 
In IICK09L many WCF protocols were used to drive the bias of a SCF protocol down towards the 
optimal value of 1 / \/2 — 1/2. Can something similar be done for OT or LT-OT? 
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